The CyberWire Daily Podcast 7.21.22
Ep 1624 | 7.21.22

Notes on the underworld: emerging, enduring, and vanishing gangs, and their C2C markets. More spearphishing of Ukrainian targets. US CYBERCOM releases IOCs obtained from Ukrainian networks.


Dave Bittner: A criminal talent broker emerges. Developing threats to financial institutions. Phishing through PayPal. Lessons to be learned from LAPSUS$ post-flameout. More spearphishing of Ukrainian targets. U.S. Cyber Command releases IOCs obtained from Ukrainian networks. Johannes Ullrich from SANS on the value of keeping technology simple. Our guests are Carla Plummer and Akilah Tunsill from the organization Black Girls in Cyber. And not really honor but honor's self-interested first cousin.

Dave Bittner: From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Thursday, July 21, 2022.

A criminal talent broker emerges.

Dave Bittner: Cyberint reports the emergence of a new criminal threat group, the Atlas Intelligence Group, also known as the Atlantis Cyber-Army. Atlas is unusual in its business model - recruitment of cyber-mercenaries to do specific jobs for campaigns known only to the administrators. The group has been operating and growing since May of this year, advertising in Telegram markets and its own dedicated Telegram accounts. Their customers access their services in an e-commerce store hosted on the Sellix platform. 

Dave Bittner: A guy who goes by the hacker name Mr. Eagle and presents himself as the group's leader lists Atlas Intelligence Group's services - exclusive data leaks, distributed denial-of-service campaigns for hire, RDP attacks and initial access. The group suggests in its advertising that it has connections with corrupt law enforcement personnel in Europe. But such claims, of course, are difficult to verify. Cyberint says most of their databases for sale are government-related, while access to RDP clients and webshells that are being sold mostly belong to organizations from the finance, education and manufacturing industries. 

Dave Bittner: The permanent staff includes Mr. Eagle and perhaps four admins. They're engaged, fundamentally, in outsourcing, acting as recruiters and brokers for the talent that actually delivers the illicit services - rogue pentesters, social engineering specialists and malware developers. They keep their crews compartmentalized. The actual workers know only about the specific capers they've been hired to pull off. Cyberint gives the gang credit for maturity and sophistication. While this may be true in operational terms, as far as self-presentation goes, the diction is the crude, strutting, subliterate stuff one expects from the underworld. 

Dave Bittner: The Atlas Intelligence Group has been seen to target countries around the world, including the U.S., Pakistan, Israel, Colombia and the United Arab Emirates. Cyberint doesn't say who buys from Atlas. Calling them mercenaries suggests that their clientele may be states, but then criminal gangs bring in hired guns as well. And one final note on naming - Atlas Intelligence Group is referred to in some reports as AIG. They are not to be confused with the large and legitimate insurance and financial service company American International Group, the real AIG. 

A developing threat to financial institutions. 

Dave Bittner: Proofpoint today released a study of the TA4563 threat group and the EvilNum malware it's deployed against financial institutions, mostly in Europe. The group is particularly interested in financial institutions that deal with foreign exchange, cryptocurrency and decentralized finance. EvilNum itself is a backdoor that, once in place, can be used either for data theft or for staging further malware. Proofpoint concludes, EvilNum malware and the TA4563 group pose a risk to financial organizations. Based on Proofpoint analysis, their malware is under active development, although Proofpoint did not observe follow-on payloads deployed in identified campaigns. Third-party reporting indicates EvilNum malware may be leveraged to distribute additional malware, including tools available via the Golden Chicken's malware-as-a-service. TA4563 has adjusted their attempts to compromise the victims using various methods of delivery. Whilst Proofpoint observed this activity and provided detection updates to thwart this activity. It should be noted that a persistent adversary will continue to adjust their posture in their compromise attempts. 

Phishing through PayPal.

Dave Bittner: Avanan this morning reported that criminals have been seen using a PayPal account to distribute phishing emails. Avanan says starting in June 2022, our researchers have seen hackers use PayPal to send malicious invoices and request payments. The hackers send the email from PayPal's domain using a free PayPal account that they have signed up for with the email body spoofing brands like Norton. The approach is similar to one seen earlier this summer in which criminals used QuickBooks to send phishing emails. The tactic is attractive because most allow lists view QuickBooks domains as legitimate and pass the email right through. 

Dave Bittner: Avanan researchers call the practice of attackers using websites that appear on static allow lists to get in the victim's inbox the static expressway. This same tactic is being used again with PayPal, where criminals have sent out fake invoices that rely on the legitimacy of PayPal to reach inboxes. Reportedly, the attack works because of what is known on the dark web as a double spear. They induce the victim to call a number and pay the invoice, which gives the attackers not only your email but your phone number and all too often your money as well. 

Dave Bittner: The LAPSUS$ Group, which blazed like a skyrocket last year with its gaudy, wild and opportunistic data theft and doxing extortion scams has now effectively fizzled out. Some of its script-kiddie leaders have received police attention, and the group no longer seems to be a player in the underworld. Tenable has published a look at the LAPSUS$ record with a view to seeing what can be learned from the group's career. LAPSUS$ was motivated equally, it seems, by cash and cache. Specifically, three characteristics can be discerned in the group's history - lower maturity tactics and behaviors, priority for clout and notoriety, and a primary focus on monetary goals. 

Lessons to be learned from LAPSUS$, post-flameout.

Dave Bittner: The group's career followed the sort of arc one might expect. It began with DDoS and website vandalism, then moved up to data theft. Tenable sums the group's life like this - characterized by erratic behavior and outlandish demands that cannot be met - at one point, the group even accused a target of hacking back - the LAPSUS$ Group's tenure at the forefront of the cybersecurity news cycle was chaotic. It's hard to say how much money the LAPSUS$ group has earned from its enterprise, but it cannot be denied that the group gained notoriety for better or worse. Three months since the peak of LAPSUS$ attacks and arrests, the group remains largely inactive. And we hope the script kiddies have been scared straight, no more to break their mother's hearts. 

More spearphishing of Ukrainian targets. 

Dave Bittner: Late yesterday, Mandiant released a report on spear phishing campaigns in progress against Ukrainian targets. Two groups, one Russian, the other Belarusian, have been recently active. The Russian-aligned actor UNC2589 uses evacuation-themed emails as its phish bait, as well as notes about wages and compensation. Mandiant notes uncertainty about UNC2589's provenance, let alone its exact place in Moscow's organization charts. The Belarusian group UNC1151, believed to provide technical support for GhostWriter, uses a proffer of advice on how to shelter while under artillery fire as its phish bait. So the lures in this case trade more on fear than anything else. Evacuation and shelter in place under shellfire are very high in Ukrainian minds. 

US Cyber Command releases IOCs obtained from Ukrainian networks.

Dave Bittner: Staying with some news related to Russia's war against Ukraine, U.S. Cyber Command's National Cyber Mission Force has released a large set of indicators of compromise - 20 in all - obtained from Ukrainian networks. The IOCs are interesting and useful in themselves, but the release also indicates how closely U.S. Cyber Command is working with its counterparts in the security service of Ukraine. The announcement from Fort Meade reads in part, our Ukrainian partners are actively sharing malicious activity they find with us to bolster collective cybersecurity, just as we are sharing with them. We continue to have a strong partnership in cybersecurity between our two nations. 

Not really honor, but honor’s self-interested first cousin.

Dave Bittner: HP Wolf Security released a report today detailing the evolution of cybercrime. The story it tells is one of commodification and one of the maturation of the C2C markets in general. Stolen credentials can be had, the researchers say in the screamer that opens their press release, for the price of a gallon of gas. The security firm's threat team worked together with forensic pathways to investigate the dark web for three months and analyzed over 35 million criminal marketplaces and forum posts. It was found that malware is cheap and accessible, as over three-quarters of malware advertised and 91% of exploits are priced at under $10, with average remote desktop protocol credentials going for five bucks. Vendors have been found to sell products in bundles such as plug-and-play malware kits, tutorials, mentoring services and the like, which reduce the barrier to entry for inexperienced coders and hackers. The researchers also found that there is a utilitarian sense of honor among cyber criminals, noting that trust and reputation are valued in the cyber criminal underworld. Seventy-seven percent of observed marketplaces require a vendor bond. Eighty-five percent use escrow payments. And 92% have a third-party dispute resolution service. Cyber crime has also increasingly taken place on popular software, with threat actors using gaps and vulnerabilities in software such as the Windows OS, Microsoft Office, content management systems and web and mail servers. So egoism and altruism can have indistinguishable results for which the authors of the Federalist Papers wouldn't have been surprised. 

Dave Bittner: The nonprofit organization Black Girls in Cyber was founded in 2020 with the goal of increasing industry awareness and diversity in cybersecurity, privacy and STEM for women of color. Joining us today to share more about their mission are Carla Plummer and Akilah Tunsill. Carla Plummer is an information security engineer at Intel. And Akilah Tunsill is a security delivery analyst at Accenture Federal Services. Our conversation starts with Carla Plummer. 

Carla Plummer: I think one of the biggest challenges, you know, from - you look at the genesis of everything - is even knowing that it is a possibility, right? And so pass that challenge of - when you look at a lot of colleges in departments of engineering, there's not very many women to begin with. And then there's not very many women of color, from that perspective. So that is one of the major challenges. Second major challenge is being able to translate some of your skills that may not necessarily be cyber/IT specific. How do you go about translating the skills that you do have that can be an asset to the industry to, you know, a hiring manager or team to show that you can provide value, you know? And so that's one of the bigger challenges there. 

Dave Bittner: Akilah, I'm particularly interested in what Carla says about that awareness issue. I mean, what - can you sort of give us some insights - when you're out there spreading the word about this, what's the reaction like for the young women that you're speaking to or the folks who are looking to, you know, change their career path? Is it a bit eye-opening for them that these options are out there? 

Akilah Tunsill: Yes, absolutely. I think so. There's thought that, you know, cybersecurity or anything technology is sort of just out of your reach because you have that notion that this is too difficult to even understand, or, you know, you have to have, you know, a ton of experience and a ton of knowledge that you just never heard of, so, you know, learning a new language and trying to, I guess, connect that to real-life situations. Like, how can I have a career in this, you know? I think that's the kind of consensus because we're just not exposed to it. So, I mean, you only understand what you know and what you've been exposed to, right? 

Akilah Tunsill: So I think that the stigma behind encouraging young women, especially young women of color - and, in general, I don't think that technology has been - is just becoming, you know, I guess, mainstream in the sense that we think about traditional careers, paths and so forth. Like, people from my generation - like, you know, I'm from the '80s. You know, I was born in the '80s, so, you know, we only thought about being a teacher, a doctor, lawyer or something like that, right? You weren't really thinking about technology as a career path. Like, what do you do in that, you know? And because it's so vague, I think that there's lots of different ways to interpret, what is cyber? Like, what kind of career is that, you know? There's just so many different things you can do in the field that it kind of makes it hard to grasp - what can I do in this field? 

Carla Plummer: I think one of the challenges - sorry, not to cut you off - but just to piggyback on something that Akilah said, is a lot of people believe that every role within cyber is uber technical, right? Everyone, even now - you know, I try to explain to my mom or my family what I do, and they're like, oh, you're a hacker. No, that's not what I do exactly. And so, you know, what society portrays versus - the message we're trying to spread sometimes is contradictory because, like Akilah said, you only know what you know. And if you're getting most of your information from the mainstream media and not diving yourself into the industry, really, that you don't really get to understand that, yeah, there are a lot of technical roles, sure; but there are also so many nontechnical roles that play a part in developing a cyber strategy as a whole. 

Dave Bittner: And what exactly does your outreach look like? How are you out there spreading the word about this? 

Carla Plummer: So we do lots of - we're on every social media platform - so Facebook, Instagram, Twitter, LinkedIn. And that comes through most of our marketing campaign. Our events team, who - I can't even count how many number of events. They do lots of day-in-the-life series so that - to give people an understanding and a little insight into different careers and things like that. Those events are generally open to the public, free to join the Zoom webinars, to ask questions and things of that nature. So that is mostly how we spread. From there, you know, we have our fellowship, which - Akilah and I serve as the co-directors over their cybersecurity curriculum. We offer volunteer - you know, other people, even if you're not cybersecurity professionals but want to volunteer to help us out and learn from that perspective - those opportunities out there that are available. Don't get stuck on the title of a position and things like that. Just continue to move forward. And feel free to reach out to us. I mean, we have lots of free resources that we can steer you to help you, you know, in your journey. 

Dave Bittner: That's Carla Plummer and Akilah Tunsill from Black Girls in Cyber. 

Dave Bittner: And I'm pleased to be joined once again by Johannes Ullrich. He is the dean of research at the SANS Technology Institute and also the host of the "ISC StormCast" podcast. Johannes, it's always great to welcome you back. You know, you and I - we both spend a little bit of time over on Twitter. And something that I see happen a lot is that some innocent user will post something about how they did this, that or the other. They - I don't know, they used a QR code or something like that. And in come all of the information security professionals rolling their eyes and saying, oh, don't ever do that. Don't ever do that. And then typically there's some back and forth, that, you know, not everyone's security situation is the same. Is there something to be said here for just sort of keeping things simple? 

Johannes Ullrich: Yeah. Keeping things simple - also, keep the user in mind. And keep in mind what you're protecting. And kind of keep security reasonable with respect to what you're protecting. I always tell this story from the guard in the dog park I used to go to - 70-something years old, makes $12 an hour. And the apartment complex he lives in - well, he used to pay by check - as you're doing here in the U.S. - his rent every month until the management company decided he has to do a bank transfer now, which he hasn't really done before. So his solution to the problem was to give the manager the username and password for his online banking account so they can set it up for him. But, OK, in this case, you say, OK, it's terribly insecure. It is. I don't recommend you do that. But actually, in this case, it was in some ways better than getting evicted. 

Johannes Ullrich: Right, right. 

Johannes Ullrich: And I always say QR codes are a little bit similar, you know? What's a threat you're protecting the user from? A QR code is a very simple way to get users to visit the correct website. It works with mobile devices, which now is, for the most part, a default computing device for a lot of people. These same devices have impossible-to-use keyboards for the most part, and the threat that is often described is hey, but you don't know where you are ending up. So someone could redirecting you to a malware site, to a phishing site or whatnot else. Well, what's the alternative? A shortcode doesn't really provide any kind of protection here as far as being redirected to a bad site. Or, even worse, let the user type a real long, weird URL on a mobile keyboard. They're probably going to put a typo in there, and then you have typo-squatting domains. So in many ways, by not using QR code, you may actually hurt the business purpose here, but you're not really adding a lot of security. And I think there are a lot of things like this where some of these sort of security establishment mafia kind of, you know, is going overboard... 

Dave Bittner: Right, right. 

Johannes Ullrich: ...And trying to do things, trying to secure things that really - in the end, you have to remember that the goal of security is to stay in business. 

Dave Bittner: Well, also I think it comes up pretty regularly - practically a cliche - where you'll see some elderly person has a notebook full of all of their passwords, and, you know, they get criticized for that. But I mean, it seems like a perfectly reasonable use case for me. The chances are there aren't, you know, bands of people trying to break into that person's apartment on the lookout for password books, right? 

Johannes Ullrich: Another example I always use - like, I have - what is it? - Z-Wave door lock. And people always say, hey, you know, that's terribly insecure. And I tell people, please, if you're breaking in my house, please hack my door lock because I'm living in an old historic house, and the top half of the door is actually an old window glass pane. If you smash that with a brick and I need to replace it, it's a lot more money than breaking or hacking the door lock. So, again, you know, I don't see a lot of burglars walking around with Bluetooth-hacking kits. Usually I see them walking around with a brick and hardware. 


Dave Bittner: Right, right, right, right (laughter), right - wearing a mask and a black-and-white-striped shirt. 


Dave Bittner: Yeah. I mean, I think, you know, one of the take-homes for me is don't let the perfect be the enemy of the good, right? 

Johannes Ullrich: Yes. That's very important with security. And I see this getting so often a wave where someone says, hey, there's a vulnerability - security feature X - it can be bypassed. Does it take more work to bypass than it takes to implement a security feature? 

Dave Bittner: Yeah. All right, well, Johannes Ullrich, thanks for joining us. 

Johannes Ullrich: Thank you. 

Dave Bittner: And that's the CyberWire. For links to all of today's stories, check out our daily briefing at The CyberWire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're building the next generation of cybersecurity teams and technologies. Our amazing CyberWire team is Liz Irvin, Elliott Peltzman, Tre Hester, Brandon Karpf, Eliana White, Puru Prakash, Justin Sabie, Rachel Gelfand, Tim Nodar, Joe Carrigan, Carole Theriault, Ben Yelin, Nick Veliky, Gina Johnson, Bennett Moe, Chris Russell, John Petrik, Jennifer Eiben, Rick Howard, Peter Kilpe, and I'm Dave Bittner. Thanks for listening. We'll see you back here tomorrow.